IDOR Vulnerability Discovered in OopsSec Store's Order Confirmation Feature

A vulnerability classified as Insecure Direct Object Reference (IDOR) has been identified in the order confirmation function of the OopsSec Store online shop. This flaw allows an authenticated user to access other customers' data by manually altering the order identifier in the URL (e.g., /orders/ORD-004). The exposed information includes names, email addresses, shipping addresses, and order details. The vulnerability stems from the lack of server-side authorization checks and the use of predictable sequential identifiers. A demonstration lab, built with Node.js and Next.js, reveals the flag OSS{1ns3cur3_d1r3ct_0bj3ct_r3f3r3nc3} upon exploitation. No specific date or real-world production impact is mentioned.